[PATCH] net-shapers: free rollback entries using kfree

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH] net-shapers: free rollback entries using kfree_rcu
       [not found] <CAKvcANOzRwFk0jm4xBfMGVNJrgGhBT8zvb6r49qc=WdB5zP_fg@mail.gmail.com>
@ 2026-03-28 18:58 ` Kangzheng Gu
  2026-03-31  1:15   ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Kangzheng Gu @ 2026-03-28 18:58 UTC (permalink / raw)
  To: gregkh, davem, edumazet, kuba, pabeni, horms, kees, p,
	xiaoguai0992
  Cc: netdev, stable, linux-kernel

net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees
them using kfree(), which can race with net_shaper_nl_get_dumpit() and
lead to a use-after-free in net_shaper_fill_one().

Use kfree_rcu() instead of kfree() to free rollback entries, since
net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock().

Cc: stable@vger.kernel.org
Fixes: 93954b40f6a4 ("net-shapers: implement NL set and delete operations")
Signed-off-by: Kangzheng Gu <xiaoguai0992@gmail.com>
---
 net/shaper/shaper.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/shaper/shaper.c b/net/shaper/shaper.c
index 94bc9c7382ea..8922f7f64768 100644
--- a/net/shaper/shaper.c
+++ b/net/shaper/shaper.c
@@ -434,7 +434,7 @@ static void net_shaper_rollback(struct net_shaper_binding *binding)
 	xa_for_each_marked(&hierarchy->shapers, index, cur,
 			   NET_SHAPER_NOT_VALID) {
 		__xa_erase(&hierarchy->shapers, index);
-		kfree(cur);
+		kfree_rcu(cur, rcu);
 	}
 	xa_unlock(&hierarchy->shapers);
 }
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH] net-shapers: free rollback entries using kfree_rcu
  2026-03-28 18:58 ` [PATCH] net-shapers: free rollback entries using kfree_rcu Kangzheng Gu
@ 2026-03-31  1:15   ` Jakub Kicinski
  2026-03-31  7:41     ` Kangzheng Gu
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2026-03-31  1:15 UTC (permalink / raw)
  To: Kangzheng Gu
  Cc: gregkh, davem, edumazet, pabeni, horms, kees, p, netdev, stable,
	linux-kernel

On Sat, 28 Mar 2026 18:58:04 +0000 Kangzheng Gu wrote:
> net_shaper_rollback() removes NET_SHAPER_NOT_VALID entries and frees
> them using kfree(), which can race with net_shaper_nl_get_dumpit() and
> lead to a use-after-free in net_shaper_fill_one().
> 
> Use kfree_rcu() instead of kfree() to free rollback entries, since
> net_shaper_nl_get_dumpit() protects shaper access with rcu_read_lock().

If dump can see NOT_VALID entries we have a bigger problem than a UAF
don't you think? :/

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] net-shapers: free rollback entries using kfree_rcu
  2026-03-31  1:15   ` Jakub Kicinski
@ 2026-03-31  7:41     ` Kangzheng Gu
  2026-04-01  1:33       ` Jakub Kicinski
  0 siblings, 1 reply; 5+ messages in thread
From: Kangzheng Gu @ 2026-03-31  7:41 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: gregkh, davem, edumazet, pabeni, horms, kees, p, netdev, stable,
	linux-kernel

Hi,

Jakub Kicinski <kuba@kernel.org> 于2026年3月31日周二 09:15写道：
> If dump can see NOT_VALID entries we have a bigger problem than a UAF
> don't you think? :/
I am not sure. My concern is whether the NOT_VALID can be exposed to
user by design.
I find that NOT_VALID is used in limited place.
A representative one is that net_shaper_nl_get_doit calling
net_shaper_lookup to check the NOT_VALID flag.
If it is a problem, maybe there are more paths that should be guarded
with NOT_VALID check.

I use the kfree_rcu since net_shaper_pre_insert has another failing
path like this:
    xa_lock(&hierarchy->shapers);
    prev = __xa_store(&hierarchy->shapers, index, cur, GFP_KERNEL);
    __xa_set_mark(&hierarchy->shapers, index, NET_SHAPER_NOT_VALID);
    xa_unlock(&hierarchy->shapers);
    if (xa_err(prev)) {
        NL_SET_ERR_MSG(extack, "Can't insert shaper into device store");
        kfree_rcu(cur, rcu);
        ret = xa_err(prev);
        goto free_id;
    }

Beside rollback, I also find another kfree(cur) in net_shaper_flush,
which I reported several weeks ago to security@kernel:
        <CAKvcANOZufuVeDqPAuMWh0GCiV5pGmmZHrRo_V+_8YSG7Cs_ag@mail.gmail.com>
It involves another free of shaper using kfree instead of kfree_rcu, I
think it is also a problem.
I noticed this patch
https://patchwork.kernel.org/project/netdevbpf/patch/20260309173450.538026-1-p@1g4.org/,
but it seems that there is no further progress on it.
Except in rollback and flush, all other frees of shaper uses
kfree_rcu, so I think that it maybe just the problem of free rather
than the flag.

Best Regards,
Kangzheng

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] net-shapers: free rollback entries using kfree_rcu
  2026-03-31  7:41     ` Kangzheng Gu
@ 2026-04-01  1:33       ` Jakub Kicinski
  2026-04-01 11:59         ` Paul Moses
  0 siblings, 1 reply; 5+ messages in thread
From: Jakub Kicinski @ 2026-04-01  1:33 UTC (permalink / raw)
  To: Kangzheng Gu
  Cc: gregkh, davem, edumazet, pabeni, horms, kees, p, netdev, stable,
	linux-kernel

On Tue, 31 Mar 2026 15:41:28 +0800 Kangzheng Gu wrote:
> Jakub Kicinski <kuba@kernel.org> 于2026年3月31日周二 09:15写道：
> > If dump can see NOT_VALID entries we have a bigger problem than a UAF
> > don't you think? :/  
> I am not sure.

Please experiment and return once you are sure.
netdevsim (netdev simulator) driver supports net_shapers, so you can
easily exercise this code in a VM.

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] net-shapers: free rollback entries using kfree_rcu
  2026-04-01  1:33       ` Jakub Kicinski
@ 2026-04-01 11:59         ` Paul Moses
  0 siblings, 0 replies; 5+ messages in thread
From: Paul Moses @ 2026-04-01 11:59 UTC (permalink / raw)
  To: Jakub Kicinski
  Cc: Kangzheng Gu, gregkh, davem, edumazet, pabeni, horms, kees,
	netdev, stable, linux-kernel

> I noticed this patch
> https://patchwork.kernel.org/project/netdevbpf/patch/20260309173450.538026-1-p@1g4.org/,
> but it seems that there is no further progress on it.

> Please experiment and return once you are sure.
> netdevsim (netdev simulator) driver supports net_shapers, so you can
> easily exercise this code in a VM.
>

Unfortunately in the case of shaper.c, netdevsim only implemented stubs 
that return 0, so it's a not a 1:1 representation of the physical drivers.
The rollback path specifically is not reliably reachable with netdevsim,
whereas it looks like a proper trigger with real hardware.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2026-04-01 11:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CAKvcANOzRwFk0jm4xBfMGVNJrgGhBT8zvb6r49qc=WdB5zP_fg@mail.gmail.com>
2026-03-28 18:58 ` [PATCH] net-shapers: free rollback entries using kfree_rcu Kangzheng Gu
2026-03-31  1:15   ` Jakub Kicinski
2026-03-31  7:41     ` Kangzheng Gu
2026-04-01  1:33       ` Jakub Kicinski
2026-04-01 11:59         ` Paul Moses

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox